Agile Information Serviceshttps://www.agileis.com
Fri, 24 May 2019 15:39:10 +0000en-UShourly1https://wordpress.org/?v=4.9.10Security Is Now A Concern For Open Source Softwarehttps://www.agileis.com/2019/05/24/security-is-now-a-concern-for-open-source-software/
https://www.agileis.com/2019/05/24/security-is-now-a-concern-for-open-source-software/#respondFri, 24 May 2019 15:00:00 +0000https://www.agileis.com/2019/05/24/security-is-now-a-concern-for-open-source-software/This year's Open Source Security and Risk Analysis Report analyzed the anonymized data of more than 1,200 commercial codebases from 2018. According to the report, managing open source risk continues to pose ...]]>This year's Open Source Security and Risk Analysis Report analyzed the anonymized data of more than 1,200 commercial codebases from 2018. According to the report, managing open source risk continues to pose a significant challenge for industry.

The Synopsys Cybersecurity Research Center produces the report, and found that 96 percent of the code bases they analyzed contained open source components.

These were found with an average of 298 open source components per codebase. This is an increase from an average of 257 found in 2017. Disturbingly, the research center found more than 16,500 vulnerabilities over the course of their research, with more than 40 percent of the codebases analyzed having been found to contain at least one high-risk open source vulnerability.

The major problem does not stem from the fact that open source components are more prone to bugs. Rather, it stems from the fact that while companies are often quick to embrace open source software, they tend to do a relatively poor job of keeping it up to date.

The research group summarizes their findings as follows:

"At the end of the day, all software is vulnerable to attack - without exception - and the nature of open source software is to shine a light on the issues it has, leading to increased visibility of bugs, not an increase in bugs.

The security risk is significantly diminished by increasing visibility. If you're not using open source components, you'd be using closed source components - either commercially available or hand-rolled - that have just as high of a likelihood of being vulnerable. Except that you just don't know about the bugs, unlike with open source components."

The group recommends the following actions. First, make regular use of readily available tools that can be used to scan your codebase to identify the open source components and their version numbers. Then check this data against one or more vulnerability databases to be sure you're adequately protected. If you're not currently doing so, the time is now.

]]>https://www.agileis.com/2019/05/24/security-is-now-a-concern-for-open-source-software/feed/0Stolen Personal And Medical Information Was Found Onlinehttps://www.agileis.com/2019/05/23/stolen-personal-and-medical-information-was-found-online/
https://www.agileis.com/2019/05/23/stolen-personal-and-medical-information-was-found-online/#respondThu, 23 May 2019 15:10:00 +0000https://www.agileis.com/2019/05/23/stolen-personal-and-medical-information-was-found-online/Jeremiah Fowler, a researcher with Security Discovery recently found an unprotected Elasticsearch databased owned by a company called SkyMed on the internet. According to his findings the database was configured such that ...]]>Jeremiah Fowler, a researcher with Security Discovery recently found an unprotected Elasticsearch databased owned by a company called SkyMed on the internet. According to his findings the database was configured such that it was open and visible to any browser. This allows anyone who stumbles across it to edit, download, or even delete data without administrative credentials.

The database contained a total of 136,995 patient records with histories going back thirty years in some cases.

It also included a variety of personally identifiable information such as:

Patient full name

Email address

Date of birth

Address

Phone numbers

In some cases, detailed medical information

Mr. Fowler promptly contacted SkyMed to inform them of the discovery. To their credit, the company promptly took the database offline. They did not, however, make a formal reply to Mr. Fowler. They have not, to this point, reached out to any of the patients whose names and personal information appeared in the database.

In addition to the unprotected database, Mr. Fowler discovered forensic evidence that indicated the company's network may have been infected with an unknown ransomware strain. Again, however, the company has maintained total silence and has not contacted anyone, including their customers or impacted patients with details.

This complete lack of response is highly unusual. On the heels of such an incident, we normally see a formal acknowledgement, an apology, a statement to the effect that the company is working with law enforcement and possibly engaging the services of a third party to assist with the investigation. In addition to that, companies almost always make some effort to reach out to impacted parties to warn them of the dangers, advise of next steps they can take and offer free credit protection.

None of that has happened thus far, which could prove to be disastrous for SkyMed. In the absence of those steps, it's difficult to see how the company's customers can trust them going forward. In any case, be advised that if you are in any way reliant on SkyMed for any part of your care, there's a chance your personally identifiable data was exposed.

]]>https://www.agileis.com/2019/05/23/stolen-personal-and-medical-information-was-found-online/feed/0Google Giving More Flexibility To Private Data Removalhttps://www.agileis.com/2019/05/22/google-giving-more-flexibility-to-private-data-removal/
https://www.agileis.com/2019/05/22/google-giving-more-flexibility-to-private-data-removal/#respondWed, 22 May 2019 15:00:00 +0000https://www.agileis.com/2019/05/22/google-giving-more-flexibility-to-private-data-removal/Tech giant Google recently unveiled the next step in its plan to put more power in the hands of users when it comes to their own data. The most recent change involves ...]]>Tech giant Google recently unveiled the next step in its plan to put more power in the hands of users when it comes to their own data. The most recent change involves the introduction of a new auto-delete feature tied to your Google account.

It will allow you to set your Location History, Web data and App Activity data to auto-delete after a set period of time defined by you.

With the way things currently work, users have two options. They can either disable Location History and Web and App activity entirely. Or they can manually delete portions of their data (or all of it). Neither option is great, since many apps won't function with those services disabled, and the second is exceedingly cumbersome.

Worse, an AP investigation last year revealed that even if you take the step of disabling your Location History, Google can, will, and does continue to track your location. In fact, just last month it came to light that Google maintains a gigantic database called 'Sensorvault' that contains the detailed location histories of hundreds of millions of phones around the world. In addition, the company reportedly makes the database available to law enforcement agencies to assist them in solving crimes.

This caught the attention of and drew the ire of privacy advocates around the world. This most recent change comes on the heels of that revelation and to the company's credit, it's a good move.

Under the new system, you have three options to choose from:

Keep until I delete manually

Keep for 18 months, then delete automatically

Keep for 3 months, then delete automatically

At this point, there's no official word from the company on when the new feature will be rolled out. You can be sure that when it is, it will make headlines everywhere. It's a pity that it took this long to see, but it's a solid step in the right direction.

]]>https://www.agileis.com/2019/05/22/google-giving-more-flexibility-to-private-data-removal/feed/0Scammers Now Use Google Ads To Steal Informationhttps://www.agileis.com/2019/05/21/scammers-now-use-google-ads-to-steal-information/
https://www.agileis.com/2019/05/21/scammers-now-use-google-ads-to-steal-information/#respondTue, 21 May 2019 15:00:00 +0000https://www.agileis.com/2019/05/21/scammers-now-use-google-ads-to-steal-information/There's a new scam afoot that involves using Google Ads. We're frankly surprised that it's working, but apparently, it's drawing some unsuspecting customers in. It ...]]>There's a new scam afoot that involves using Google Ads.

We're frankly surprised that it's working, but apparently, it's drawing some unsuspecting customers in. It appears to be an organized campaign.

The unknown scam artists are creating ads with phrases like:

"Amazon.com - Best place to get dream products. Best deals - Best support - Best price."

"Paypal.com - Discover how easy and safe it is to pay for goods and shop. Free Return Shipping. 180-day Refund Windows. No funds needed."

"Ebay.com - Find the best selling Cell Phone Cases, Covers and Skins. Get the best deals for cell phones and smartphones. Dream Garage Spring Event..."

These ads contain phone numbers with an invitation given to ad viewers to call them. Of course, the numbers displayed in the ads aren't the real support numbers for those companies. If a user should call one, he'll be greeted by someone claiming to work for the support department of the company displayed in the ad.

Early on in the conversation, the scammer will announce some type of problem with the user's account, and inform them that they can fix the issue, but to do so, they'll need a code found on the back of a Google Play Store gift card.

Why this doesn't raise an immediate red flag to users is a mystery. Apparently some users are handing over the information if they have a gift card, which the scammers promptly make use of. For Google's part, they are working to remove the ads but it's a bit like playing Whack-A-Mole. For every one they identify and take down, a new one seems to appear.

In any case, the company did issue an official statement which reads as follows:

"We have strict policies that govern the kinds of ads we allow on our platform, and ads that conceal or misstate information about their business are prohibited on our platform. When we find ads that violate our policies, we remove them."

]]>https://www.agileis.com/2019/05/21/scammers-now-use-google-ads-to-steal-information/feed/0Email Providers Found To Have Signature Vulnerabilitieshttps://www.agileis.com/2019/05/20/email-providers-found-to-have-signature-vulnerabilities/
https://www.agileis.com/2019/05/20/email-providers-found-to-have-signature-vulnerabilities/#respondMon, 20 May 2019 15:00:00 +0000https://www.agileis.com/2019/05/20/email-providers-found-to-have-signature-vulnerabilities/A team of security researchers have uncovered a serious flaw in several major email clients you need to be aware of. The flaw allows hackers to fake verified signatures, which gives their ...]]>A team of security researchers have uncovered a serious flaw in several major email clients you need to be aware of.

The flaw allows hackers to fake verified signatures, which gives their phishing and other email-based attacks the appearance of legitimacy.

According to research conducted by the team, the following email clients are vulnerable to this exploit:

Thunderbird

Apple Mail with GPGTools

iOS Mail

Microsoft Outlook

Mailpile

Roundcube

K-9 Mail

Airmail

MailMate

Evolution

KMail

GpgOL

What The Risks Are

Ostensibly, an email signature is supposed to provide end-to-end authenticity, legitimacy, and integrity. When you receive an email containing a verified signature, it's a sign that it's from a safe, trusted source. Unfortunately, now that several of the largest and most widely used email clients have been found to be vulnerable to signature spoofing attacks, that's out the window. If you've been in the habit of scanning for a verified signature and then, upon finding one, assuming the email is safe, it's simply no longer safe to do that.

The research team described their research in part, by saying the following:

"In our scenario, we assume two trustworthy communication partners, Alice and Bob, who have securely exchanged their public PGP keys or S/MIME certificates. The goal of our attacker Eve is to create and send an email with arbitrary content to Bob, whose email client falsely indicates that the email has been digitally signed by Alice.

Our attack model does not include any form of social engineering. The user opens and reads received emails as always, so awareness training does not help to mitigate the attacks."

That's dark news indeed, and even worse, a raft of CVE's have been opened to account for and fix the vulnerabilities that make this type of signature spoofing possible. However, there are no easy fixes here, and there's no timetable at this point from any of these email providers on when or if the issues will be resolved.

]]>https://www.agileis.com/2019/05/20/email-providers-found-to-have-signature-vulnerabilities/feed/0Android Wifi Hotspot App Leaks Network Passwords And Informationhttps://www.agileis.com/2019/05/18/android-wifi-hotspot-app-leaks-network-passwords-and-information/
https://www.agileis.com/2019/05/18/android-wifi-hotspot-app-leaks-network-passwords-and-information/#respondSat, 18 May 2019 15:00:00 +0000https://www.agileis.com/2019/05/18/android-wifi-hotspot-app-leaks-network-passwords-and-information/Do you use an Android App called 'WiFi Finder'? If so, be advised that your network password has likely been exposed, based on research conducted by Sanyam Jain, of the GDI Foundation. ...]]>Do you use an Android App called 'WiFi Finder'? If so, be advised that your network password has likely been exposed, based on research conducted by Sanyam Jain, of the GDI Foundation.

Jain discovered an unprotected database online associated with the app that contained more than two million network passwords.

He reported his findings to Zack Whittaker of TechCrunch, and the two of them spent more than two weeks trying to contact the Chinese-based developer to no avail. When that effort failed, they contacted DigitalOcean, the company hosting the database, and they promptly pulled it offline.

As to the app itself, WiFi Finder is very good at what it does, and it does what the name suggests. It searches for WiFi hotspots and maps them, giving users the ability to upload all their stored WiFi passwords.

Unfortunately, the app isn't picky. It makes no distinction between public and private hotspots. If your neighbor has an unprotected router, it'll show up on the list.

According to statistics obtained from Google, WiFi Finder has been downloaded more than 100,000 times. Given how many WiFi hotspots there are all over the world, each user is bound to have a dozen or more mapped by the app, which translates into a lot of hotspots in the database, considering the size of the database Jain found.

If there's a bright spot to be found in the incident, the database did not include contact information for the WiFi owners. However, it did contain geolocation data, and of course, if you saved your passwords in the app, then that was included as well.

If you're currently using the app, to be safe, you should probably delete it and find a better option. Then change your Wi-Fi passwords, as there's no telling who may now have access.

]]>https://www.agileis.com/2019/05/18/android-wifi-hotspot-app-leaks-network-passwords-and-information/feed/0Popular Fitness Site Endures A Customer Information Breach https://www.agileis.com/2019/05/17/popular-fitness-site-endures-a-customer-information-breach/
https://www.agileis.com/2019/05/17/popular-fitness-site-endures-a-customer-information-breach/#respondFri, 17 May 2019 15:00:00 +0000https://www.agileis.com/2019/05/17/popular-fitness-site-endures-a-customer-information-breach/Do you frequent the website bodybuilding.com? If so, be advised that the site has been breached. According to a recent statement by the company behind the site, the breach occurred in February, ...]]>Do you frequent the website bodybuilding.com?

If so, be advised that the site has been breached.

According to a recent statement by the company behind the site, the breach occurred in February, 2019 and had its origins in a phishing email the company received back in July of 2018.

A detailed account of the incident was published on the company's help center and contained most of the elements we've come to expect when things like this happen:

The company is very sorry that it happened

"Certain" customer/member information may have been compromised

The company has been working with law enforcement and has brought in a third party to assist with the forensic investigation, which is ongoing

The company also stressed that while partial payment account numbers were compromised, no full debit or credit card information was at risk. That is because the site only stores the last four digits of payment cards if and when a given user opted to have the data stored by the website.

Again in keeping with the common response to incidents like these, Bodybuilding.com reported that in exercising an abundance of caution, they are force-resetting all user passwords. If it's been a while since you've logged on, just be aware that the next time you do, you'll be prompted to change your password.

As to the specific data that was compromised, according to the latest information posted by the company, the following information was accessed by unknown third parties:

User name

The email address you used to sign up for the service

Your billing and/or shipping address

Your phone number

Your order history

Your birthday

Any correspondence that may have occurred between you and the site administrators

Any other information you included in your profile

As ever, if you're using the same password on this site that you use on some other, be sure to change both immediately. Try hard to break the habit of using the same password across multiple web properties.

]]>https://www.agileis.com/2019/05/17/popular-fitness-site-endures-a-customer-information-breach/feed/0Password Policies Getting Update From Microsofthttps://www.agileis.com/2019/05/16/password-policies-getting-update-from-microsoft/
https://www.agileis.com/2019/05/16/password-policies-getting-update-from-microsoft/#respondThu, 16 May 2019 15:10:00 +0000https://www.agileis.com/2019/05/16/password-policies-getting-update-from-microsoft/Industry experts have been predicting the death of the humble password for decades. To date, those predictions have amounted to nothing. Passwords are still with us, and still serve as the cornerstone ...]]>Industry experts have been predicting the death of the humble password for decades. To date, those predictions have amounted to nothing.

Passwords are still with us, and still serve as the cornerstone of security, even as other measures have arisen alongside them to help better secure your all-important data.

Even though passwords aren't gone, the security landscape is changing. Recently, Microsoft has announced another step down that path of change. They're doing away with the notion of forced password changes.

The logic is hard to argue with. The policy of forced password changes really doesn't offer all that much in the way of protection. It often creates as many headaches and problems as it solves, because users tend to make small, virtually meaningless and easy to predict changes to their passwords. Or, they often forget their new ones anyway.

While Microsoft is no longer forcing password changes at periodic intervals, they are leaving the option available for Enterprise users to establish their own forced password change thresholds if they choose to do so. In tandem with the coming change, they're also recommending that security professionals perform a periodic review of passwords to ensure that the passwords in use aren't on the list of the UK National Cyber Security Centre's list of the 100,000 worst passwords.

One important thing to note is the fact that the company isn't making any changes to its requirements for minimum password length, complexity, or history. That is essential in terms of keeping users from simply recycling the same two or three passwords, switching endlessly back and forth between them.

It's also worth mentioning that these changes could benefit companies that are currently under audit. That is if the auditing agency is using Microsoft's security baseline as a guideline. That makes this seem like a small , but it is more significant than it may first appear.

]]>https://www.agileis.com/2019/05/16/password-policies-getting-update-from-microsoft/feed/0Windows Update May Fail With External Storage Deviceshttps://www.agileis.com/2019/05/15/windows-update-may-fail-with-external-storage-devices/
https://www.agileis.com/2019/05/15/windows-update-may-fail-with-external-storage-devices/#respondWed, 15 May 2019 15:00:00 +0000https://www.agileis.com/2019/05/15/windows-update-may-fail-with-external-storage-devices/Microsoft recently issued an important support document that your IT staff needs to be aware of. In part, their notice reads as follows: "Inappropriate drive reassignment can occur on eligible computers that ...]]>Microsoft recently issued an important support document that your IT staff needs to be aware of.

In part, their notice reads as follows:

"Inappropriate drive reassignment can occur on eligible computers that have an external USB device or SD memory card attached during the installation of the May 2019 update. For this reason, these computers are currently blocked from receiving the May 2019 update."

If you have one or more machines on your company network with USB-connected drives or SD cards attached, you'll get an error message explaining this as a reminder, and you will not be able to proceed until those devices have been unplugged. The company has also assured users that the inappropriate drive reassignment issue will be addressed in a future build.

By and large, this isn't a major issue because few (if any) machines actually run their OS's from such a drive. So, the workaround is a fairly simple one, but there is an added wrinkle to consider. The blocking mechanism only works if you're running the April 2018 or October 2018 builds (versions 1803 and 1809, respectively). If you're running an older version of Windows 10, even if you have a USB-connected drive, you won't be blocked from receiving the update.

At this time, it is unclear what exactly caused the issue in the first place and the company has not established a firm time frame for when it will be addressed. Again, it's not something that is especially difficult to get around, although it will add slightly to the overhead needed to keep the machines on your company's network completely up to date.

Note that as the name implies, the updated is slated for release in May 2019, and Windows 10 users can delay the company's semi-annual update if they wish to do so.

]]>https://www.agileis.com/2019/05/15/windows-update-may-fail-with-external-storage-devices/feed/0Microsoft Is Keeping Paint Program For Nowhttps://www.agileis.com/2019/05/14/microsoft-is-keeping-paint-program-for-now/
https://www.agileis.com/2019/05/14/microsoft-is-keeping-paint-program-for-now/#respondTue, 14 May 2019 15:00:00 +0000https://www.agileis.com/2019/05/14/microsoft-is-keeping-paint-program-for-now/Back in July 2017, Microsoft created a bit of an uproar when they released a build of Windows 10 that promoted their new Paint 3D app. Paired with the new arrival was ...]]>Back in July 2017, Microsoft created a bit of an uproar when they released a build of Windows 10 that promoted their new Paint 3D app.

Paired with the new arrival was an announcement that the classic Windows Paint program would be deprecated and ultimately removed from the OS in subsequent versions.

Paint has been part of the Windows ecosystem and landscape since the very beginning. It has little to recommend it, featuring only the most basic of functionality and a skimpy set of features. Given that, the company was amazed at the outcry from the user community when the announcement was made.

Despite its many shortcomings, it turns out that the little program was much loved, and its diehard core of users rabidly defended it. As a result, the company gave MS Paint a stay of execution, but insisted that the day would inevitably come when the program would be no more.

The company's stay of execution took the form of leaving paint, but each time a user opened it, they'd receive a message in the form of a pop-up box that read: "Product alert: Paint will soon be moving to the Microsoft Store. Don't worry; it will still be free to download once it moves there."

That was the situation for more than a year, but then, the message suddenly vanished. This renewed concerns that the aging program might be back on the chopping block.

Microsoft recently confirmed, however, that for the time being, Paint isn't going anywhere. They reaffirmed that if and when it is removed from the OS, it will still be freely available as a download. If you're a fan or even an occasional user of MS Paint, that's good news. Say what you will, but the venerable program certainly has staying power.